Shulou(Shulou.com)06/01 Report--

Learn that the mysql database is injected using error reporting, and sort out some personal study notes, which are limited to personal understanding.

Database name-injection statement to get the database name

And (select 1 from (select count (*), concat ((select (select concat (0x7e database () as char), 0x27 from information_schema.tables limit 0x7e)), floor (rand (0) * 2)) x

From information_schema.tables group by x) a) and 1

Database. Table name-injection statement to get the table name in the database

And (select 1 from

(select count (*), concat ((select (select (select distinct concat (0x7e) 0x27recoveryhex (cast (table_name as char)), 0x27pc0x7e) from information_schema.tables where table_schema=0x636D73 limit 1) from information_schema.tables limit 0LING 1), floor (rand (0) * 2) x

From information_schema.tables group by x) a

) and 1x1

My own analysis of the table name injection statement:

First execute the statement between the green zones, select table_name from information_schema.tables where talbe_schema=0x636D73 limit 1. The 0x636D73 here is the hexadecimal of the database name that was exposed earlier. The second step is to execute the cast () function, convert the table name to characters, then execute the hex () function to convert it to hexadecimal, and finally execute the concat () function to connect the contents of the parentheses in the function.

The light yellow statement is: the statement between the select green areas; make a choice. Meaning: in a light yellow statement, execute a green statement.

The light purple statement is: select light yellow statement from information_schema.talbes limit 0pl; meaning, execute a light yellow statement in the light purple area.

Next, the concat () function and put the result as x to group by

The next step is to execute the contents in the light purple area of select count (*) from information_schema.talbes group by concat ().

Finally execute the content obtained before select 1 from-deep × × × region content; explain: the deep × × × region will generate a virtual table, and the content of the deep × × error report will be displayed by querying the first column.

Partial explanation of the function:

Cast () data type conversion

Cast (expression as data_type) expression any valid sql statement as is used to separate two parameters, the data to be processed before as and the data type to be converted after as

Data_type data type

Concat ()

No delimited connection string

At least two parameters

Eg select concat ('ab','cd')

The Rand () function generates random numbers from 0 to 1.

Use floor () in combination

Floor ()

Returns a maximum integer not greater than x

Rand ()

Returns a random floating point number between 0 and 1

In addition, with regard to the principle of mysql error injection, I referred to an article by the Rossoneri and gained a lot from it. Write the link below

In case you need to check it out.

Http://www.2cto.com/article/201604/498394.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.